chore: Add Linear release automation for tags

[elibosley]

Summary

Adds a GitHub Actions workflow that syncs Linear releases when Unraid OS tags are pushed, with a manual dispatch path for backfilling existing tags.

Behavior

• Runs automatically for any pushed tag.
• Can be run manually with tag_name for existing tags.
• Routes hyphenated pre-release tags, such as beta/rc/test builds, to the internal Linear pipeline via LINEAR_INTERNAL_ACCESS_KEY.
• Routes plain stable tags like 7.3.0 to the public Linear pipeline via LINEAR_PUBLIC_ACCESS_KEY.
• Syncs the Linear release name/version as Unraid OS <tag> without completing the release.

Validation

• Parsed .github/workflows/linear-release.yml with Ruby YAML loading.
• Confirmed the workflow no longer falls back to the legacy LINEAR_ACCESS_KEY secret.

Summary by CodeRabbit

Chores

• Added an automated workflow to sync Git tag releases with an external release tracker (Linear). Triggers on pushed tags and manual dispatch, distinguishes internal vs public release channels, validates tag formats and credentials, runs the appropriate sync step, and writes a summary including a link when a release is created or updated.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 70f32377-b2bb-47e6-9d02-92b569517bea

📥 Commits

Reviewing files that changed from the base of the PR and between 27041c4 and cfe599e.

📒 Files selected for processing (1)

• .github/workflows/linear-release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/linear-release.yml

---

Walkthrough

New GitHub Actions workflow that resolves pushed or manually supplied Git tags, classifies them as internal or public releases, selects the matching Linear API key, runs the appropriate linear/linear-release-action@v0 sync, and appends a result to the GitHub step summary.

Changes

Linear Release Sync Workflow

Layer / File(s)	Summary
Workflow setup and execution model .github/workflows/linear-release.yml (lines 1–37)	Workflow is triggered on pushed tags and manual dispatch, granted minimal read permissions, concurrency-controlled, gated to unraid/webgui, uses ubuntu-latest and bash, and checks out the tag with full history.
Tag resolution and channel determination .github/workflows/linear-release.yml (lines 38–72)	Resolves tag from pushed ref or workflow_dispatch input, validates the tag exists locally, derives release_channel as internal (contains -) or public (semver), and exports tag_name, release_name, and release_channel.
Credential validation and dual-path sync execution .github/workflows/linear-release.yml (lines 73–119)	Selects the channel-specific Linear secret, fails if missing or empty, then conditionally runs exactly one sync step (internal or public) invoking linear/linear-release-action@v0 with name and version from the resolved tag.
Operation summary reporting .github/workflows/linear-release.yml (lines 120–167)	Always-run step reads sync outputs, determines channel-specific release URL/name/version, and appends a formatted result to $GITHUB_STEP_SUMMARY indicating the selected tag/channel and whether a release was created/updated (with link if provided).

Sequence Diagram

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Git as Git Repository
  participant Resolver as Tag Resolution Logic
  participant SecretMgr as Secret Validation
  participant LinearAction as linear-release-action
  participant Summary as Step Summary

  GitHub->>Git: Checkout tag with full history
  Git-->>GitHub: Repository ready
  
  GitHub->>Resolver: Resolve tag name from ref/input
  Resolver->>Git: Validate tag exists
  Git-->>Resolver: Tag confirmed
  Resolver->>Resolver: Determine channel (internal/public)
  Resolver-->>GitHub: Export tag_name, release_name, release_channel

  GitHub->>SecretMgr: Validate Linear key secret for release_channel
  SecretMgr-->>GitHub: Secret verified (or fail)

  alt channel = internal
    GitHub->>LinearAction: Sync internal release with internal API key
    LinearAction-->>GitHub: release_url output
  else channel = public
    GitHub->>LinearAction: Sync public release with public API key
    LinearAction-->>GitHub: release_url output
  end

  GitHub->>Summary: Append execution result (channel, tag, release_url)
  Summary-->>GitHub: Summary written to step output

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A tag hops in, the workflow wakes with cheer,
Secrets chosen quiet, the channel soon clear.
Linear listens, a release takes flight,
A summary stitched, a link glowing bright.
Hooray — small paws synced deploy tonight!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a GitHub Actions workflow for Linear release automation triggered by Git tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/linear-release-automation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/linear-release.yml:
- Around line 33-35: The workflow uses floating action tags (actions/checkout@v4
and linear/linear-release-action@v0); replace each of those three references
with their corresponding full commit SHAs to make them immutable, and add a
trailing inline comment indicating the original semantic tag (e.g., "# v4" or "#
v0") for maintainability; update the occurrences referenced as
actions/checkout@v4 and linear/linear-release-action@v0 accordingly so the
workflow references the SHA pins instead of the floating tags.
- Around line 120-164: The summary step ("Summarize Linear release") currently
only checks RELEASE_URL to decide if a release was created, which misreports
failures as "no Linear release"; pass the job status into the step (e.g. add env
JOB_STATUS: ${{ job.status }}) and in the run block check JOB_STATUS first (if
JOB_STATUS != "success" echo a failure line referencing TAG_NAME and JOB_STATUS)
before treating an empty RELEASE_URL as a no-op, updating the conditional that
emits "no Linear release was created or updated" to only be used when JOB_STATUS
is "success" and RELEASE_URL is empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e6ddadcd-d481-47ce-8a81-a497a43be30b

📥 Commits

Reviewing files that changed from the base of the PR and between b78d577 and 27041c4.

📒 Files selected for processing (1)

• .github/workflows/linear-release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read the relevant sections
if [ -f ".github/workflows/linear-release.yml" ]; then
  echo "=== File exists. Checking line 33-35 ==="
  sed -n '33,35p' .github/workflows/linear-release.yml
  echo ""
  echo "=== Checking lines 105-118 ==="
  sed -n '105,118p' .github/workflows/linear-release.yml
  echo ""
  echo "=== Full file for context ==="
  cat -n .github/workflows/linear-release.yml
else
  echo "File does not exist"
fi

Repository: unraid/webgui

Length of output: 7533

---

Pin action references to immutable SHAs.

These steps use floating action tags (@v4, @v0). GitHub's security guidance calls full-length commit SHAs the only immutable way to reference actions, and that matters here because the Linear action is an external action that receives pipeline access keys. (docs.github.com)

Replace all three action references with their full commit SHAs:

• Line 33: actions/checkout@v4
• Lines 105 and 114: linear/linear-release-action@v0

Include version tag comments for maintainability (e.g., # v4, # v0).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linear-release.yml around lines 33 - 35, The workflow uses
floating action tags (actions/checkout@v4 and linear/linear-release-action@v0);
replace each of those three references with their corresponding full commit SHAs
to make them immutable, and add a trailing inline comment indicating the
original semantic tag (e.g., "# v4" or "# v0") for maintainability; update the
occurrences referenced as actions/checkout@v4 and
linear/linear-release-action@v0 accordingly so the workflow references the SHA
pins instead of the floating tags.